Get it All

For those of you concerned with getting bombarded with new blogs built by strangers you don’t want on your network, but would still like to leave the registration process open to others, I’ve created a simple set of hacks that will allow this to happen. A caveat, however: you’ll need to have some little app on the same server that does MD5 encryption, so you know what you’re going to use as session phrases.

I say “session phrases” as opposed to “passwords,” because I would like to disabuse anyone reading this of the notion that this is any kind of real “security” per se. Rather, this is a simple way to keep nusance registrations at bay while still allowing users to register as subscribers to blogs, and also send invitations to those you’d actually like to have a blog. The basic MU wp-signup.php form doesn’t really distinguish and rather allows anyone to get a blog on your network. Yikes! This is the kind of thing you’d at least want the option to override.

So, I did this. First step is opening wp-signup.php and browsing to around line 369. That is the line that is commented // Main, and that’s where you’re going to begin your editing. Change it to look like this:
// Main
$passphrase = md5('numbnuts'); // Becomes 871dc980ec35a6c4468c3d091fe58d51, change this often!
if(!$_POST['stage']) {
if (isset($_GET['session'])) {
if ($_GET['session'] === $passphrase) {
$active_signup = 'all';
else {
$active_signup = 'none';
else {
$active_signup = 'user';
else { $active_signup = 'all'; }

As you can see, my code uses a simple md5, but only for the sake of having an invitation code which is not guessable. You could forgo this step if you’d like. It checks for the existence of a session phrase, and if none exists, it allows the user to sign up for a user ID, but not a blog. If the session phrase is there but does not match, it locks the user out of registration altogether, and if the session phrase matches, the user is allowed to create his blog or his username.

The $active_signup variable determines what level of registration is available to users. Strange that this is not a variable that can be set through Options, eh? But its not. Happily, though, this makes for a less complicated hack. You could of course get more creative with the code than I did, but I wanted to keep things simple.

Updated! I discovered an interesting additional bug to this hack, which is that the signup_user() function won’t redirect validation errors correctly without a little help. I would actually call this a minor bug in the code of MU, but what do I know?

Search for the phrase “<?php if( $active_signup == ‘blog’ ) { ?>” around line 249 or so, and change it to:

<?php if( $active_signup == 'blog' || $active_signup == 'all' ) { ?>

This will force the system to enforce the same rules on errors. Some tricky devil figured out that failing to enter the correct data on my site allowed them to create a blog after it spit back the error. Imagine my chagrin!

The only other thing I did on this file was to rewrite line 426 to read:

printf(__("<p><em>Sorry! The blog you were looking for, <strong>%s</strong> doesn't exist!</em></p>"), $newblog );

This is a small hack, just for the sake of not suggesting that there could be a blog in the future of someone you have no interest in giving a blog to! The whole line seems to be a throw-away line in the first place, if you ask me.

At this point, you’ve basically eliminated the possibility of someone creating a blog without your permission. If a person types in a URL like or, they’ll get the option to create a username, but that’s it. If they try to go to wp-signup.php and try to create a blog there, they’ll need a valid session phrase to do that.

But why stop there? What if you could also enforce some organization to your blog’s subdomains/subdirectories? Rather than just inviting guests to blog with you, what if you could gently suggest what that sub-whatever looked like? Well you can!

On line 103 of wpmu-settings.php, you’ll find the code that redirects incorrect URLs. Edit the file to look like the below code:
if( defined( "WP_INSTALLING" ) == false ) {
if( $current_site && $current_blog == null ) {
if($_GET['session']) {
header( "Location: http://{$current_site->domain}{$current_site->path}wp-signup.php?new=" . urlencode( $blogname )."&session=" . urlencode( $_GET['session'] ) );
else {
header( "Location: http://{$current_site->domain}{$current_site->path}wp-signup.php?new=" . urlencode( $blogname ) );
if( $current_blog == false || $current_site == false )

OK, now we’re cookin’! When you send out a link, you’ll send something that looks like this:

Hey! Come join my blog at:

Or, if you use virtual subdomains, you’d send something like this:
Hey! Come blog with me at:

Oh, and for those of you who’d like not to think more than you have to about writing that little MD5 encryption script, here’s the code for it:
if(!isset($_GET['keyword'])) {
<label for="keyword"><input type="text" name="keyword">
<input type="submit"><input type="reset">
<?php } else {
$md5 = md5($_GET['keyword']);
Your MD5 is <?php echo($md5) ?>
<?php } ?>